> On 28 Mar 2023, at 14:46, sebb <seb...@gmail.com> wrote: > > On Tue, 28 Mar 2023 at 12:42, Dirk-Willem van Gulik > <di...@webweaving.org> wrote: >> >> >> On 28 Mar 2023, at 13:11, Arnout Engelen <enge...@apache.org> wrote: >> >>> In Apache we already have a kind of hierarchy where a PMC covers >>> multiple projects, and each project can publish a number of artifacts. >>> At first glance it would make sense to document how to 'encode' that >> >> As we currently defacto assume that any PCM gets a domain such as >> <pmc-name>.apache.org - with a human oriented website at >> https://pmc-name.apache.org/ associated - I would guess that >> org.apache.<pmc-name> or the FQDN is a good start for any PMC. As we're >> likely to keep that namespace free of clashes - even over very long periods >> of time. >> >> Now a lot of PMCs just have one `product' -- often with the same name. >> >> So perhaps a simple rule of that remove any consecutive duplicates would be >> a good start. Although ISO/IEC 19770-2:2015 and the IETF work on a SWID do >> sort of assume you do not do exactly that (they assume a regid that way >> separate from product identifier AFAIU). >> >> Having incubator prefixes `invalidate' as they become TLP's is not that big >> a loss. > > What about TLP renames?
Well - I would imagine* that we generally do this forward- and would find it very acceptable that a (vulnerability in an) old package retains its 'old' TLP name; while more recent vulnerabilities get a new name ? Or am I missing something ? Dw. *) I am trying to avoid getting into https://www.rfc-editor.org/rfc/rfc3406 and https://www.rfc-editor.org/rfc/rfc2483 and https://www.ietf.org/rfc/rfc3404.txt